I'm intrigued by router issues, the folks at gnucitizen have submitted numerous router exploits in the last months. Problem is, they hack their own router brand. Something I cannot test myself because I don't own it. Since I'm always short on the green, I thought it would be a good idea for each of us to inspect and pentest our own router. This way we can figure out how severe the router vulnerability landscape really is. The incentive is that you'll learn hacking routers, and this way you get something out of it also. So are you up to it? can you handle it? can you find a vulnerability in your personal router? Then you are the perfect candidate to join!

The contest runs from 2 February until 29 February. If there are enough submissions, I will write about it and compose a list of the best router hacks that where submitted. I also pick my personal favorite out of that list as the main winner. The Hacker Webzine currently grows each day. The site has 100 to 150K hits each week, so this can give you a lot of attention and spotlight! The rules are very flexible, every kind of exploit is allowed. From buffer overflows to CSRF issues that plague many routers. My personal favorites are CSRF issues since they always work in any situation.

You can submit your entries to this email: hackerwebzine[at]gmail[dot]com.

Happy router hacking!

For some inspiration, you can visit gnucitizen.org or take a look at this example that shows a CSRF issue that was discovered last week on the 2Wire router brand:

Yeah I understand, I also post my submission so I'm not that affraid actually. If I can find one ofcourse. :) but on the other hand, if routers are vulnerable and your brand is in it, it probably is know already and probably used.

But the flip-side is that you'll get to know your own router issues, and maybe protect it, like adjusting the routers firewall settings. :)

Ronald, I think that this is an excellent idea and we are also interesting to facilitate it in any possible way. So, apart from featuring the stuff to 0x000000 we can also feature it on GNUCITIZEN or even better, construct one mega fat router hacking paper - a paper that is written from the community for the community. So what do u think?

If you want to compose a post on gnucitizen that would be fine with me. It also broaden the number of people involve I guess. Can you let me know how you are going to pick this up? if so, I can adjust my post about it and direct it to yours.

sure, ok... first I need a post, which I will be done with by the end of today, and then i will let you know. then, I will contact some friends to spread the word. it will be fun. :) let's see what will happen.

Well, I still have to check several things one more time, but I think, that I can turn my SOHO router into a sniffer for WAN <=> LAN/WLAN, LAN <=> LAN, WLAN <=> WLAN and WLAN <=> LAN traffic.
And you can do this attack from a remote location. ;)

Ok, before I can finish my attack for turning my router into a sniffer from the outside, I need a little help from you guys.
The router's webserver instructs my webbrowser to save the content instead of just displaying it as a normal text file.
Is there any solution for another website to save that content ? Maybe I've a mental block now ...

I need anti dns-dinning for doing that job and I don't have a root server to check it the right way from the Internet. So I can't test it on my own.
That's why I'm releasing more info in my next posting.

But now I've to figure out where my before-0-day XSS vulnerability in Serendipity weblog software exists in the code (core or plugin) first. ;)
For those who are interested: http://www.bitsploit.de/uploads/Code/200802080000/

BTW: You can sniff some PPP LC traffic between your ADSL-router and the DSLAM or BRAS (?!) next to it.

I finally sat down and wrote a POC for my router, it's a DLink DSL-G604T. It's probably going in the bin after this :) I can read any file on the router remotely and the entire thing can be CSRF'd to death. In the sample code I show how to read the config file (or any other file) and change the DNS settings to anything you like.

I'm using a ZyXEL P-660HW Series http://www.zyxel.com/web/product_family_detail.php?PC1indexflag=20040812093058&CategoryGroupNo=AC5783AE-9475-41AD-BDA5-0997187F44AA . There are a lot of CSRF stuff on this router, it can be used to change DNS servers, add keywords to bannedlist on URL, it's also affected by the IP-based session management attacks mentioned on gnucitizen, and to authenticate you only need a password, which by default is 'admin', I created two simple proof of concepts abusing a XSS flaw which requires the user to be logued on.

TP-Link Wifi thingy.... I googled to see if there is a relationship with Netgear, one page said it's actually a Netgear brand, but the funny thing is that Google warned me not to visit tp-link.com as it may contain malware....

@EWSec
in fact, the best protection is when you can't access your own router anymore, e.g. block port 80 traffic, only way to regain service would be a full reset. Since no-one should be able to see, finger or touch the router.

* unplug your router and throw it to the bin
* disconnect from the internet
* use pigeons for data transfer

yes it is slow and yes they are vulnerable to guns and food poisoning but attackers are not aware of this yet. so it should work for all of us. I think that there is a RFC for it as well. Look for IP over Pigeons.